/srv/irclogs.ubuntu.com/2022/07/28/#ubuntu-motu.txt

=== luis220413_ is now known as luis220413
luis220413I want to fix CVE-2021-32798 in jupyter-notebook for all Ubuntu releases under standard support. The12:55
ubottuThe Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798>12:55
luis220413sil2100: Please sponsor the SRU in bug 195616612:55
ubottuBug 1956166 in xen (Ubuntu Focal) "Ubuntu 22.04 doesn't boot with xen" [Medium, Fix Committed] https://launchpad.net/bugs/195616612:55
sil2100luis220413: hey! So I see there's already a xen SRU in focal-proposed, and I see mfo would like to see it released first. I'll get the arch build failures one accepted so we can get that moving12:57
luis220413sil2100: This is mfo's SRU12:58
luis220413I want this one sponsored such that my security update can advance12:58
luis220413sil2100: Thanks!12:58
sil2100Ok, in that case, I'm on it now then! ;)12:58
sil2100Changes looking good, done o/13:00
luis220413I want to fix CVE-2021-32798 in jupyter-notebook for all Ubuntu releases under standard support. The upstream patch introduces a dependency on the NPM package @jupyterlab/apputils (unpackaged in Ubuntu), from which only sanitizer.ts is needed.13:01
ubottuThe Jupyter notebook is a web-based notebook environment for interactive computing. In affected versions untrusted notebook can execute code on load. Jupyter Notebook uses a deprecated version of Google Caja to sanitize user inputs. A public Caja bypass can be used to trigger an XSS when a victim opens a malicious ipynb document in Jupyter Notebook. The XSS allows an attacker t... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32798>13:01
luis220413This file depends on node-sanitize-html (available only since Jammy), that build-depends on node-postcss, that did not migrate from bionic-proposed. This package, in turn, depends on node-source-html (>= 0.6.1), that was only satisfied in Bionic by packages in the -proposed pocket that were moved to cosmic-proposed shortly after Bionic was released.13:03
luis220413*build-depends13:03
luis220413*Build-Depends13:03
luis220413How should I proceed?13:03
luis220413The version of node-source-map that satisfies this requirement (0.6.1+dfsg-1) uses a new upstream release and appears to be substantially different from the version in the release pocket (0.5.7+dfsg-1).13:05
amurrayluis220413: sometimes it is not possible to patch every CVE - I would argue this is one of those cases where it is not possible to take the upstream fix due to large amount of other dependencies it needs which can't be satisfied in that release13:05
amurrayluis220413: and so unfortunately it would remain unfixed13:06
luis220413amurray: But this is a critical vulnerability: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j79713:06
amurrayluis220413: have you ever opened a notebook from some other user which you didn't trust?13:06
luis220413amurray: I do not, but many people use jupyter-notebook and may inadvertently open a malicious notebook.13:07
amurrayit doesn't involve privilege escalation so personally I would not say it is critical - especially when considered in light of the priority scheme which the security team currently uses https://people.canonical.com/~ubuntu-security/priority.html - it would be rated Medium in our scale13:08
amurrayin an ideal world we would patch everything - but we don't live in an ideal world13:08
amurrayluis220413: so the other option you have is to backport a newer version via the https://help.ubuntu.com/community/UbuntuBackports pocket - or just within a PPA13:09
amurraythen you can manage all the other required dependencies etc13:09
luis220413amurray: This is arbitrary JavaScript execution, that allows for local data theft of the entire directory on which the notebook server is run, and therefore should be rated High13:13
luis220413If you save the notebook into a directory and run the server in that directory or one of its parents13:14
luis220413*ancestors13:14
amurrayluis220413: sure but it only runs as the local user right, so there is no privesc to root and hence by our criteria is a medium13:15
luis220413amurray: I will try to break the dependency on node-source-map, and I have requested a backport of the two other dependencies to the -security pocket in bug 1983018.13:16
ubottuBug 1983018 in node-sanitize-html (Ubuntu) "Backport to Ubuntu 18.04 (and in some cases 20.04)" [Undecided, New] https://launchpad.net/bugs/198301813:16
amurrayin that case I suggest this all be done in the backports pocket rather than security since there is likely too high a risk of regression to other packages which might depend on these packages etc13:17
luis220413amurray: The packages to be backported in this bug do not exist in the target releases.13:18
luis220413So there is no risk of regressing dependencies.13:18
luis220413Because they do not exist13:18
amurrayoh in that case then it may be possible - apologies I hadn't realised that13:19
amurraysorry I'll have to resume this conversation latter - gotta run - thanks for your interest and help with ubuntu security13:19

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!